I. General Provisions
1.1 Policy Purpose
This policy is formulated in accordance with the EU General Data Protection Regulation (GDPR) and relevant member states’ privacy regulations, and aims to clarify the processing rules for personal data within the EU and involving EU citizens, protect the legitimate rights and interests of data subjects, and regulate the behavior of data controllers and processors.
1.2 Applicable Subjects
This policy applies to all entities that conduct business in the EU and process personal data of EU citizens, including but not limited to enterprises, social organizations, public institutions, etc. Even if the entity is located outside the EU, as long as its data processing activities involve EU citizens and are related to the provision of goods or services in the EU, it must comply with this policy.
II. Definition and processing principles of personal data
2.1 Scope of personal data
Personal data refers to any information related to an identified or identifiable natural person, including:
Identity information: name, ID number, passport number, date of birth, etc.;
Contact information: phone number, email address, home address, social media account, etc.;
Behavioral data: browsing history, purchase history, location track, device identifier, etc.;
Sensitive data: race, religious beliefs, political inclinations, health status, biometric data (such as fingerprints, facial features), etc. The processing of such data must meet more stringent conditions.
2.2 Data Processing Principles
Data processing activities must comply with the following principles:
Legality: Data processing must be based on legal reasons, such as obtaining the consent of the data subject, fulfilling contractual obligations, complying with legal provisions, etc.;
Fairness: Data shall not be processed by concealing or misleading means, and the purpose and method of processing shall be clearly informed to the data subject;
Transparency: Disclose relevant information about data processing to the data subject in clear and understandable language;
Purpose limitation: Data shall only be collected for specific, clear and legitimate purposes, and shall not be processed beyond the scope of such purpose;
Minimization: The collected data shall be limited to the scope necessary to achieve the processing purpose, and excessive collection shall be avoided;
Accuracy: Take reasonable measures to ensure that the data is accurate and complete, and any errors shall be corrected in a timely manner;
Storage limitation: The storage period of data shall not exceed the time necessary to achieve the processing purpose, and shall be deleted or anonymized in accordance with the law after expiration;
Integrity and confidentiality: Take appropriate technical and organizational measures to protect data security and prevent unauthorized access, disclosure, tampering or destruction.
III. Rights of data subjects and how to exercise them
3.1 Rights content
Data subjects enjoy the following rights according to law (refer to relevant provisions of GDPR for specific content):
Right to know, right to consent, right to access, right to correction, right to deletion (right to be forgotten), right to restrict processing, right to data portability, right to object (see the "Rights of Data Subjects" section above for details).
3.2 Ways to exercise rights
Data subjects can exercise their rights in the following ways:
Send a written application to the contact information specified by the data controller (such as email address, mailing address);
Submit an application through the online form provided by the data controller;
Directly contact the privacy protection officer of the data controller.
The data controller shall respond within one month after receiving the application, and may extend the period by two months if the situation is complicated, but the data subject shall be informed of the reason for the extension in a timely manner.
IV. Obligations of Data Controllers and Processors
4.1 Obligations of Data Controllers
Establish and improve data protection management systems and designate data protection officers (if applicable);
Carry out data protection impact assessments, conduct prior assessments of high-risk data processing activities (such as large-scale monitoring and processing of sensitive data) and take risk mitigation measures;
Record data processing activities, including information such as data sources, processing purposes, recipients, and storage periods;
Provide data subjects with clear privacy policy notices, including but not limited to data processing purposes, methods, and ways to exercise rights;
Ensure that data processing activities comply with legality requirements and regularly review the necessity and appropriateness of data processing.
4.2 Obligations of Data Processors
Process data strictly in accordance with the written instructions of the data controller and do not change the processing purpose or method without permission;
Take security protection measures at the same level as the data controller, such as encryption technology, access rights management, etc.;
Assist the data controller in fulfilling obligations such as data subject rights response and data breach notification;
If a third party is required to process data, the data controller’s consent must be obtained in advance and the third party must meet the same data protection requirements.
V. Data security and leakage response
5.1 Security measures
Data controllers and processors should take the following security measures:
Technical measures: data encryption, firewalls, intrusion detection systems, regular security audits, etc.;
Organizational measures: employee data protection training, access rights classification management, confidentiality agreement signing, etc.;
Emergency measures: formulate emergency plans for data security incidents, and clarify emergency response processes and responsible persons.
5.2 Data leakage handling
Upon discovery of a data leakage, the data controller should immediately take remedial measures and report to the relevant regulatory authorities within 72 hours (if the leakage may pose a high risk to the rights of the data subject);
If the leakage may cause the data subject to significant risks (such as identity theft, financial losses), the affected data subject must be notified in a timely manner, and the leakage, possible impact and response suggestions must be informed;
Record detailed information on the leakage incident, including the time of occurrence, cause, scope of impact, measures taken, etc., for inspection by the regulatory authorities.
VI. Rules for Cross-border Data Transfer
In addition to the adequacy determination, standard contractual clauses, and binding corporate rules described in the "Cross-border Data Transfer" section above, please also note that:
Cross-border data transfer for public interests (such as judicial cooperation and public health) must comply with the laws of the EU and relevant countries;
Before data is transferred, the data protection level of the receiving country must be assessed to ensure that the data can still be effectively protected after the transfer;
Perform risk assessment on cross-border data transfer and take supplementary protection measures (such as data anonymization and encrypted transmission) when necessary.
VII. Legal Liability and Dispute Resolution
7.1 Legal Liability
Violation of this Policy and EU privacy regulations may result in a fine of up to 20 million euros or 4% of global annual turnover (whichever is higher);
If the data subject suffers losses due to data processing activities, he or she has the right to claim compensation from the data controller or processor, and the relevant subject must bear the burden of proof to prove that he or she is not at fault.
7.2 Dispute Resolution
If the data subject believes that his rights have been infringed, he may take the following measures to resolve the issue:
Filing a complaint to the data controller or processor and requesting rectification;
Filing a complaint to the local data protection regulator, which will investigate and handle the case in accordance with the law;
Filing a lawsuit through judicial channels and requiring the infringing party to bear liability for compensation.
VIII. Supplementary Provisions
8.1 Policy Updates
This policy will be updated according to the revision of EU privacy regulations and actual business needs. After the update, the data subject will be notified through the official website of the data controller, email, etc. The updated content will take effect from the date of publication.
8.2 Right of Interpretation
The data controller is responsible for interpreting this policy. If you have any questions about the content of the policy, you can contact the privacy protection department of the data controller.